1. Field of the Invention
The present invention relates to systems and methods of (1) allowing the legitimate holder of a payment instrument to explicitly control the precise conditions under which a payment authorization request against that instrument may be granted or rejected by the financial institution (the instrument issuer) on behalf of the instrument holder, and (2) authenticating payments made using payment instruments, and in particular a system and method for allowing instrument issuers and merchants to ensure that a the payment instrument user is the actual and legitimate holder of that instrument.
2. Description of the Related Art
The recent expansion of commerce on the World Wide Web has added a new source of sales for many established businesses, and has provided new business opportunities for online vending even for companies without a brick and mortar presence. While the Web has provided new opportunities for sales, online shopping has also made it necessary for online merchants to find ways of providing secure methods of obtaining payment from their customers.
One such method is the use of one time use numbers. One time use credit card numbers (a.k.a. Surrogate numbers) are single use credit card account numbers that are generated by the card issuer to the cardholder at the time of an on-line transaction. The single use card number is then transmitted to the merchant by the card holder. The payment authorization/settlement is routed to the acquiring bank and the issuing bank as if it was the real number. The main disadvantages of the one time use credit card numbers are: (1) They do not prevent unauthorized use of the “real” credit card account for neither for “card present” nor “card not present” transactions. (2) They complicate and lengthen the on-line purchase process with merchant sites that require the buyer to store payment information in a merchant wallet (i.e. Amazon.com and Expedia.com). (3) They typically cannot be used for recurring transactions or “signature on file” purchases.
From the point of view of the shopper, online shopping eliminates much of the stress associated with physical shopping. Moreover, online prices are generally lower than prices offered by physical retail merchants. Shopping via the Web has been in existence for a number of years. Shopping by Mail order and Telephone order has been in existence even before the advent of Internet.
The proliferation of various online merchants necessitated the installation of various payment processes. Most of these payment processes require the input of information relating to a payment instrument, such as a credit card, charge card or debit card. Various secure techniques have been developed for securely transmitting this information to the merchant server. For example, the use of Secure Sockets Layer (SSL) protects data being sent across a network.
SmartCard (chip) based payment system architecture based on the SET and 3DSET protocol theoretically offer transmission security, user privacy, strong user authentication, non-repudiation using digital certificate/digital signature. However, these systems require massive investment to the payment processing infrastructure ($11 billion in the U.S alone) and are not expected to be widely accepted and deployed until several years.
However, once at the server, this sensitive financial data is routinely stored in database servers by the online merchants. Moreover, in certain well-publicized instances, hackers have retrieved this kind of data from online merchants servers. It is not unusual for hackers to blackmail and demand the payment of ransom money for this data. There have been cases where the hacker publishes the data when the ransom money is not paid. This has bred insecurity and fear in payment instrument owners. Online merchants also lose credibility in the eyes of their current and potential customers when this type of incident occurs.
Thus, while the Web has provided new opportunities for sales to merchants, as well as added convenience and value for purchasers, incidents such as those discussed above have also made it necessary for online merchants to find ways of providing secure methods of obtaining payment from their customers.
In addition, special considerations must be taken into account when credit cards are used in online transactions. Banks have instituted a classification of payment by card: card present and card not present. Card not present transactions usually incur a higher transaction fee. It is common practice in the United States that any transaction reported by the payment instrument owner as fraudulent is automatically “charged back” to the online Merchant. Such is also the case in Europe. However, since most Europeans use credit lines associated to their debit accounts with banks, the amounts are automatically debited from the accounts. For this reason, it is common for an unauthorized usage to be detected only after the card holder receives a monthly bank statement. In Europe, it is also more the burden of the payment instrument owner to prove the unauthorized usage of his or her payment instrument.
In view of the above, an online merchant must be concerned with receiving payment for goods purchased online. When credit cards are used to pay for a transaction, the possibility exists that someone other than the authorized user of the card is using the credit card information fraudulently makes a purchase fraudulently. This is a problem for a merchant since goods may have been shipped before the fraud is discovered and, as discussed above, the legitimate cardholder is not liable for such use over $50.00.
Another problem facing merchants is the phenomenon of cardholders placing orders and then instructing their issuing bank not to pay, claiming that the transaction was never made. In a card present, or face-to-face transaction, the merchant can display a copy of the cardholder's signature to prove that the purchase was actually made. However, in a card not present (non-face-to-face) online transactions there is no signature, thus making it easier for a cardholder to back out of a transaction.
Cardholders themselves may be concerned with unauthorized use of their credit cards in the online context. In particular, because signatures are not required in card transactions on the Web, a concern exists that their card numbers will be stolen and used for unauthorized purchases.
Thus there exists a need to provide a system and method for providing assurance to the merchant that the person attempting to make a purchase with a payment instrument is in fact the authorized user of the instrument. There also exists a need for a system and method that allows a merchant to prove that the authorized cardholder actually made the transaction. There also exists a need for a system and method for reducing the likelihood of a cardholder's issuing bank authorizing a fraudulent online transaction.